Re: Adamantix
On Thu, Jun 17, 2004 at 03:15:51PM +0200, Kim wrote: Hi All. I have been working with Debian for about 3 years now using it as different server solutions. The other day I came about the Adamantix distribution. Adamantix is a distribution that aims to be very secure and very hard to crack. The (...) Why is this level of security not the standart of Debian? There are several things you should notice here: 1.- There is a kernel-patch-adamantix package and many of the Adamantix-specific tools (RSBAC tools mainly) are included in unstable and supported fully. It is not provided by default since it breaks a number of things (X, for example). This is a similar situation as with exec-shield and SElinux in Debian. 2.- Besides the kernel changes, Adamantix recompiles the distribution with a GCC patch that should limit buffer overflows, this one is called SPP (formerly known as ProPolice). Steven Kemp is currently testing its impact (see http://shellcode.org/Cat/). Gcc 3.3 does not yet include the patch per default since it has not been sufficiently tested on non-i386 archs AFAIK (see #233208 and #213994 for more information) There have been a number of discussions at -devel regarding this patch (browse the archives) So, regarding Debian vs Adamantix: 1.- the Adamantix kernel can be made on stock Debian, an admin has to do it himself since it's not provided per default, however. This will provide you RSBAC+PaX 2.- the pre-compiled packages are not available currently in Debian, but you can re-compile them yourself. Debian might provide, in the future, a i386 'flavor' that is compiled with SPP. However, this will be a different architecture (just like i386 is different from sparc) and that means there is a need for mirror space and porters. So, even though all those features are currently easier to be found on Adamantix (after all it's a very feature-specific distribution) they will be available in Debian, fully supported and maybe even within the default installation, sometime in the future. How can you speed it up? Help get more testing/documentation done for the Adamantix-specific things and help make this new 'i386-spp' flavor available by testing both the SPP patches and packages compiled with SPP enabled. Notice that Adamantix's FAQ is not correct in some of the points they make (see http://www.adamantix.org/faq.html). You can submit bugs to Debian's BTS if they are related to any of the above. Futher information is provided at [1]http://www.trusteddebian.org/ That link is not correct, and might be deprecated in the future, use www.adamantix.org HTH Javier PS: I will try to find some time to add this information to the Debian Security Manual. signature.asc Description: Digital signature
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Wed, Jun 16, 2004 at 11:46:05AM +1200, TiM wrote: Look at installing mod_security, http://modsecurity.org Install some rules for it to harden your webserver, see if anything is flagged in the security log. Also notice that modsecurity provides a way to easily chroot your Apache web server, which would make life more difficult to an attacker (if he doesn't have a /tmp location to write on) Regards Javier signature.asc Description: Digital signature
Re: Server slowdown...
On Sun, Apr 11, 2004 at 12:28:31AM +0200, Jaroslaw Tabor wrote: (..) After reboot, everything is working perfect. The question is where to start investigation. Can someone suggest some tool, to record statistics of CPU, Network, IO(drives) in correlation with processes ? Use sysstat, as soon as you install it it will start logging data at /var/log/sysstat (which can be analysed with sar(1) as well as with some other utilities). Regards Javier signature.asc Description: Digital signature
Re: Positive press for Debian's security team
On Tue, Mar 30, 2004 at 03:52:49PM -0800, Matt Zimmerman wrote: A better question would be how they determined the applicability of the vulnerabilities. This is a non-trivial job even for many individual vulnerabilities, and they claim to have surveyed hundreds. Since they used a vulnerability database (ICAT) they probably (blindly) correlated vulnerabilities that applied to products versus published advisories which is bound to fail in many cases. Since the full reports costs $899 and I assume (since this is news to mdz) they have not disclosed this information to the Debian Security team [0], I wonder if we will ever know what they are really talking about and what (if any) flaws the report has. For example, I find it funny the use of an average (instead of other alternative statistics metrics that more accurately reflect data) As it has been said already: lies, damn lies and statistics The fact that numbers (on average) don't match what I have published before (in 2001 [1] and last year at Debconf3 [2]) leads me to believe the data is not really accurate (although in my analisys I included all vulnerabilities and did not relate to severity). I would still be interested in reading the full report... Regards Javier [0] I wonder what's under the Companies And Organizations Interviewed For This Document in their report. [1] http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html [2] http://people.debian.org/~jfs/debconf/security/ signature.asc Description: Digital signature
Re: readdir and checksecurity
On Wed, Mar 24, 2004 at 10:55:08AM -0300, Christian Robottom Reis wrote: Hi there, one of our servers (which runs Debian Woody) was recently compromised, and had a suckit variant installed. We've gone through the reinstall and restore steps, and one of the things I looked at is debian's /usr/sbin/checksecurity script, which checks for changes in setuid files. (...) My question is: doesn't this situation sort of invalidate checksecurity's setuid check, since setuid files that are in hidden directories won't show up in the listing? IMHO any local host intrusion detection system (hids) is screwed once the system gets compromised. That is: - you cannot trust it at all (it might have been replaced with other stuff that will never alert you) - you cannot trust its reports (it might be based on false information since it can be tricked by the rootkit, just like a local admin might be) The deeper you put the hids in (that is, kernel space vs. userspace) the more you can trust it or expect it to find hidden stuff. But even then there are always ways around it if can have a rootkit installed and running as root [0] That being said, you could argue that the setuid check is useless but, still, it might be able to find some stuff that the intruder left around without knowing it (people make mistakes, worms do too). And it still might alert you _before_ the rootkit gets installed [1] (in some cases, a system reboot is needed in order to get a proper rootkit installed, and the setuid check might run before that reboot). I wouldn't consider checksecurity's suid problem a bug, more like a limitation. Just my 2c. Regards Javier [0] Unless, of course, you use MAC (se-linux, rsbac) and even then it might only make it more difficult not necessarily impossible. [1] _If_ you send these alerts/reports off-site, otherwise they can be manipulated after the intruder got admin priviledges (most rootkits can wipe out logfiles, they don't wipe out checksecurity setuid's files just because Debian is not yet an specific target of rootkits AFAIK) signature.asc Description: Digital signature
Re: Checking what running program are using old libraries
On Thu, Mar 18, 2004 at 12:03:29PM +0100, Jan Dittberner wrote: Such a script exists in testing package: debian-goodies filename: /usr/bin/checkrestart Also in Tiger, it's the 'check_finddeleted' module (at /usr/lib/tiger/scripts). Regards Javier signature.asc Description: Digital signature
Re: Some clarifications about the Debian-security-HOWTO
On Fri, Feb 20, 2004 at 01:14:43PM +0100, Gian Piero Carrubba wrote: From http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s9.1.6 I've rewritten that in the CVS version, should be available in the website soon. Please review it in a few days. Regards Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote: samhain (in unstable, should be easy to backport) which has some interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. In what sense? Logging to syslog/email/external database and signing the reports seems pretty unintrusive to me. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote: Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Besides aide (which is nice, and has already been mentioned) there is also samhain (in unstable, should be easy to backport) which has some interesting features. Regards Javi signature.asc Description: Digital signature
Re: Help! File permissions keep changing...
On Wed, Feb 18, 2004 at 11:05:30AM +0100, Richard Atterer wrote: Waah, SCARY! Users can create hard links to arbitrary files in that directory, e.g. links to other users' private files or to /etc/shadow, and automatically get read access to those files. That is, of course, if the partitions in the system have not been setup properly. I assumed they were ok, he _did_ say that he was changing file permissions and owners manually. Regards Javi signature.asc Description: Digital signature
Re: Help! File permissions keep changing...
On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote: If you are going to change such things then you need to use the -uid or -gid options to find (depending on whether you are changing the UID or GID), and you need to do it when the machine is in single-user mode (IE no-one can login and cron jobs can't run). Hmmm.. I did say there was plenty of room for improvement, after all, obviously shell scripting is more prone to failure than a proper program in C but let's give it a shot: -- #!/bin/bash set -e DIR_TO_FIX=/home/groupX GROUP=mygroup PERM=g+rwX VALIDUSERS=me|myself|other find $DIR_TO_FIX -type f -printf %u %p\n | egrep ^$VALIDUSERS | while read user file do # Recheck the user and file, avoid races [ -e $file ] { curuser=`ls -dl $file | awk '{ print $3 }'` [ $curuser = $user ] { chown $GROUP $file chmod $PERM $file } } done - It would be nice if someone was to patch the -R option of chown/chgrp/chmod in coreutils to do this sort of thing. As an enhancement over the -h option? (to exclude hard links as well as symlinks) Regards Javi signature.asc Description: Digital signature
Re: Hacked - is it my turn?
On Mon, Feb 02, 2004 at 10:59:11PM +0100, Andreas Schmidt wrote: =-=-=-=-=-=-=-=-=-=-=-=-=- Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody That's normal, its been discussed here before. It just needs to be added to logcheck patterns, a bug should be filed. 'tiger' also reports - while performing signature check of system binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write and /usr/bin/inetd don not match. This can not be confirmed by aide (cd-burned database, unsafe binary) or debsums (unsafe binary). Hi, have something similar here: # Performing signature check of system binaries... Do _not_ rely on that if you are _not_ using a stable system (and really, even then, unless you've regenerated the database yourself). Considerung this kind of behavior is on two machines now makes me assume this might be another bug with tiger. :-) Well, it _kind_ of is, but that test should not be enabled on systems running sid or testing. The signature database is rarely updated (but you can update it yourself). In any case, rely on an integrity database (aide, tripwire, samhain, integrit... your call) instead of Tiger since it will only: - check against a signature database based on woody, which will never match yours. - check using 'debsums' which is not complete (some packages do not include md5 checksums for all the files) BTW, the machine logging this has sid installed. Moreover, I got these messages: # Performing check of 'services' ... (...) Is that anything to be worried about? After all, it's just some mappings in /etc/services, or is it? I don't run an ircd (I know of), for instance, and the other ports mentioned here are not shown as open by nmap/netstat. Yes, that just compares the system's /etc/services against the list that Tiger has which, again, might not match what you have in a sid system if you have upgraded netbase. I will take care of those probably before the release, feel free to file a bug, however. Regards Javi signature.asc Description: Digital signature
Re: LKM
On Mon, Jan 26, 2004 at 02:36:39PM -0500, Greg Folkert wrote: When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed (...) Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. I believe chkrootkit is to blame here, the LKM check is prone to a lot of false positives in sid. I haven't been able to pinpoint what causes this, unfortunately it comes (NEW) and goes (OLD) so it's not cleaned by Tiger's do not send me stuff I already know about mechanism. There are some know false positives in chkrookit [1] and given the way it checks for some of the rookits it's bound to fail sometimes, also notice that there are know issues with the latest kernel (2.6) and glibc (some processes will not show up no matter what). Also, nautilus and mozilla-firebird seem to cause these false positives (as reported in bug #222179) It would be great if chkrootkit would detail more in the output message what hidden process leads him to believe there is a LKM so that these could be filtered through Tiger ignore mechanism... Regards Javi [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=chkrootkit signature.asc Description: Digital signature
Re: tiger: howto manage flood of `deleted files' alerts ???
On Wed, Jan 14, 2004 at 12:27:41AM -0700, Ryan Bradetich wrote: Actually the tigerrc is already loaded when the script execute ... I have tested a small patch that should do what you want. Javi, Do you see any problem with this method? If not I can work on a patch that will update all the checks to perform this test before running. I actually like the fact that tigerrc defines which tests 'tiger' (the program) run whileas cronrc configures configures which tests 'tigercron' will run. Duplicating that (i.e. a module needs to be added into cronrc and disabled in tigerrc) might lead to confusion and to modules not being executed even if the admin thinks they will. Actually, it also hinders somebody from directly executing the script (for testing or debugging) directly because he has to modify tigerrc so that it is executed. Summary: I don't quite like the idea (for the above reasons). And it's quite easy to just disable a script by removing the entry in cronrc as it is by modifying tigerrc. Regards Javi signature.asc Description: Digital signature
Re: tiger: howto manage flood of `deleted files' alerts ???
On Fri, Jan 09, 2004 at 03:30:46PM -0500, Hubert Chan wrote: Javier == Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: [...] Javier That only mandates what checks will be run when running 'tiger' Javier (the whole security suite). If you want to adjust the cron job Javier you should remove 'check_finddeleted' from /etc/tiger/cronrc. Thanks. That seems highly, uhm..., unintuitive, though. A note in tigerrc might help. (Or is it possible to change the behaviour so that tigerrc can disable a check? e.g. by having check_... load tigerrc?) Will add a note in the next upload. Javi signature.asc Description: Digital signature
Re: Chrooted apache package for Debian?
On Fri, Jan 09, 2004 at 02:46:23PM +0100, Roman Medina wrote: Is there any official or non-official .deb package with a chrooted apache distro? Any related project? There isn't a project to do this, you have, however, documentation on how to do it at http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html Regards Javi signature.asc Description: Digital signature
Re: tiger: howto eliminate spurious cron errors?
On Wed, Jan 07, 2004 at 02:26:03PM -0600, Michael D Schleif wrote: In the spirit of my current endeavor to eliminate noise from tiger, I find myself receiving the following stderr reports from tiger via cron: stdin: is not a tty Known bug and related to running 'mesg' in non-interactive. It should be fixed already in tiger 3.2.1-6 IIRC. /usr/bin/find: /usr/X11R6/bin/: No such file or directory Related to deb_nopackfiles, you probably don't have any X stuff installed. This error is also fixed in the upstream sources (but has not made it yet to a release) /bin/sed: can't read /etc/printcap: No such file or directory This was unknown, will be fixed in next release. /bin/ls: /boot/boot.b: No such file or directory Ditto. Unfortunately, tiger.ignore cannot help me to eliminate this noise. That first one is especially annoying, since I receive it several times per day on several servers. What do you think? The release in unstable does have some errors from time to time. I purposedly did not send this to /dev/null, but you can do so by just modifying /etc/cron.d/tiger (a conffile), instead of 0 * * * * roottest -x /usr/sbin/tigercron /usr/sbin/tigercron -q use 0 * * * * roottest -x /usr/sbin/tigercron /usr/sbin/tigercron -q 2/dev/null One of the reasons you didn't see any errors before is because the default was the former, I removed the /dev/null redirection in order to make errors obvious (and have them reported), trying to avoid a false sense of security :-) If you want to disable those errors in the meantime and don't want to apply the patches available currently for those, add the /dev/null redirection. Thanks for the info Javi signature.asc Description: Digital signature
Re: tiger: howto manage flood of `deleted files' alerts ???
On Wed, Jan 07, 2004 at 02:13:19PM -0600, Michael D Schleif wrote: Server /usr/sbin/apache \(pid \d+\) is using deleted files The parent process of server /usr/sbin/apache \(pid \d+\) is using deleted files Program apache \(pid \d+, parent \d+\) is using a deleted file: .* /tmp/session_mm_apache0.sem \(deleted\) snip / Yes, I found these helpful. However, `\d' does *NOT* work on my system; rather, I had to change these to `[0-9]' -- and, yes, I did debug these with egrep, with same result. Oops. You are right, it should be [[:digit:]]+ instead of \d+ Javi signature.asc Description: Digital signature
Re: Would this create a security problem?
On Fri, Jan 02, 2004 at 12:26:10AM +0200, Antti-Juhani Kaijanaho wrote: Hi, (...) My plan of action is to add support for file names that are passed to /bin/sh as commands, whose standard output stream becomes the default input. Now, since this will involve allowing execution of arbitrary out of band code, I am concerned that I may introduce a security problem. For example, if /etc/grep-dctrlrc or ~root/.grep-dctrl.rc becomes world-writable for some reason (it isn't by design, of course), a malicious local user can add code that will be executed as root when root next runs grep-available. In your opinion, is there any potential for a security problem in this scheme? If there is, what should I do about it? I don't fully understand your design, however, if you are going to use configuration files that might be tampered by a user to run external commands it might be worthwhile to check their permissions and ownership before making use of them (i.e. ensuring they are not world-writable and that they belong to the current runing user). It is very common, however, to use configuration files in a way that they can modify the way code is executed. For example: a- obviously, stuff like ~/.bash_aliases b- init.d scripts sourcing /etc/default stuff and using options it as addendum to those used in the script to startup/stop things. Some programs really do not care who the configuration file belong to, other (sensitive) programs do check file permissions (ssh and gpg come to mind). http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/file-contents.html HTH Javi signature.asc Description: Digital signature
Re: Grsecurity, ssh and postfix
On Mon, Dec 08, 2003 at 09:30:04AM +0100, Domonkos Czinke wrote: Hi, I think you won't have to make a unique jail for ssh, you can use the pam module which is designed especially for this. Unfortunately AFAIK debian does not support that module, so you will have to compile your own packages. Btw you can switch off the double chroot restrictions Do you mean pam-chroot? $ apt-cache search pam chroot libpam-chroot - Chroot Pluggable Authentication Module for PAM Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why not use /bin/noshell? (was Re: Why do system users have valid shells)
I have packaged a version of titan's tools (noshell+runas). Does anyone wants to test them? Regards Javi signature.asc Description: Digital signature
Re: bridge firewall
On Wed, Nov 26, 2003 at 03:20:49PM +0100, Francisco Oliveira wrote: Hi Brctl sends network log mesages to all system consoles. I have tried modifing syslog but it dos not stop. I don?t want see all network messages Does anybody know how I can solve it? dmesg -n1 ? Tip: man dmesg Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tiger stops sending reports
On Tue, Nov 11, 2003 at 08:31:42AM -0600, Hanasaki JiJi wrote: Tiger was installed on Sarge. After the first couple audit emails, the emails have stopped. Well, without further information it is difficult to determine if this is an error or not. Or even if this is due to Tiger's learning feature. This feature enables it to only send mails of changes in the system (so a problem will only be reported once not every time Tiger is run). Please read /usr/share/doc/tiger/README.hostids. If you have files under /var/log/tiger with times matching those of the ones when cron jobs (configured under /etc/tiger/cronrc) should be run then Tiger is working as expected. Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Why not use /bin/noshell? (was Re: Why do system users have valid shells)
On Wed, Oct 22, 2003 at 09:45:24AM +0200, Tobias Reckhard wrote: Hi We recently noticed that a stock woody install produces an /etc/passwd in which most, if not all, system users have a valid shell entry of /bin/sh. They're all unable to login due to having no valid password, but best UNIX security practice typically involves giving accounts that don't need to be able to login a shell of /bin/false or /bin/true. Other distros (at least some of them) appear to follow suit. I have meant to ask this question for some time too. Specially since some distributions (such as RedHat) provide system users with a /bin/noshell shell. I'm not sure if this is the same shell as the one provided by Titan [1] but IMHO I believe it's a must to have a shell that logs the entry attempt to syslog (as opposed to what /bin/false or /bin/true do). So, anybody knows any issues (Debian specific or not) related to using /bin/noshell instead? Regards Javi PS: I guess, as for recommended practice, you mean CERT's guidelines: http://www.cert.org/security-improvement/implementations/i049.02.html which does suggest using Titan's noshell [1] Titan's noshell can be found at: http://www.fish.com/titan/src1/noshell.c pgp0.pgp Description: PGP signature
Re: Why not use /bin/noshell? (was Re: Why do system users have valid shells)
On Thu, Oct 23, 2003 at 10:35:26AM -0500, Micah Anderson wrote: Try the package falselogin That's not what I was looking for. I was looking for something that logged connection attempts, which falselogin does not. Regards Javi pgp0.pgp Description: PGP signature
Re: Why not use /bin/noshell? (was Re: Why do system users have valid shells)
On Thu, Oct 23, 2003 at 12:57:53PM +0100, Dale Amon wrote: If one isn't available, they are damn easy to write. I've probably got source laying around somewhere for one I wrote for NeXT's about a decade ago. Well, Titan's noshell source code is available, I'm not sure if it's license is DFSG-free. RedHat's noshell probably is but I cannot find which package holds the source code (anyone?) Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]